cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alessio Soldano <>
Subject AbstractUsernameTokenAuthenticatingInterceptor.createSubject principal ordering
Date Mon, 20 May 2013 08:10:12 GMT
the AbstractUsernameTokenAuthenticatingInterceptor comes with the
following abstract method:

     * Create a Subject representing a current user and its roles.
     * This Subject is expected to contain at least one Principal
representing a user
     * and optionally followed by one or more principal Groups this user
is a member of.
     * It will also be available in doCreateSecurityContext.
     * @param name username
     * @param password password
     * @param isDigest true if a password digest is used
     * @param nonce optional nonce
     * @param created optional timestamp
     * @return subject
     * @throws SecurityException
    protected abstract Subject createSubject(String name,
                                    String password,
                                    boolean isDigest,
                                    String nonce,
                                    String created) throws

the javadoc implies that the ordering of principals in the returned
subject is relevant and as a matter of fact there's a check in
'setSubject' method relying on that (that is on the assumption that the
user principal is the first one).
Would it make sense here / not break anything to relax the ordering
requirement a bit (to skip group principals that might be before the
actual principal) and change the check for example as in ? This might grant some flexibility to
implementors of that abstract method.


Alessio Soldano
Web Service Lead, JBoss

View raw message